Control: 1.16 Ensure IAM policies that allow full "*:*" administrative privileges are not attached
Description
IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security practice to grant least privilege that is, granting only the permissions required to perform a task. Determine what users need to do what and then accordingly create policies for them instead of allowing full administrative privileges.
It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.
Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions.
IAM policies that have a statement with "Effect"
: "Allow"
with "Action"
: "*"
over "Resource"
: "*"
should be removed.
Remediation
From Console:
Perform the following action to detach the policy that has full administrative privileges:
- Sign into the AWS console and open the IAM Dashboard.
- In the left navigation pane, click Policies and then search for the policy name having administrative privileges.
- Select the policy that needs to be detached. Go to Policy usage tab.
- Select all
Users
,Groups
,Roles
that have this policy attached. - Click Detach. It will ask for re-confirmation.
- Click Detach again.
Repeat the above steps for all the policies having administrative privileges.
From Command Line:
Perform the following action to detach the policy that has full administrative privileges:
- Lists all IAM users, groups, and roles that the specified managed policy is attached to.
aws iam list-entities-for-policy --policy-arn <policy_arn>
- Detach the policy from all IAM Users:
aws iam detach-user-policy --user-name <iam_user> --policy-arn <policy_arn>
- Detach the policy from all IAM Groups:
aws iam detach-group-policy --group-name <iam_group> --policy-arn <policy_arn>
- Detach the policy from all IAM Roles:
aws iam detach-role-policy --role-name <iam_role> --policy-arn <policy_arn>
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v130_1_16
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v130_1_16 --share
SQL
This control uses a named query:
iam_policy_all_attached_no_star_star